getpwent(3) bug -- security hole

[Bruce Nemnich]

There was some discussion a few months ago about a problem with null
entries in /etc/passwd.  These can be caused by running chfn or chsh on
a passwd file which has a blank line, often mistakenly left at the end
of the file by humans.  It presents a gaping security hole if it happens.

The problem is in getpwent(3).  There are two parts to my fix: the first
keeps a newline from getting in a field in the returned structure if not
all fields are filled out on the passwd line, and the second ignores
leading whitespace and blank lines.

*** /tmp/,RCSt1014083	Wed Sep 19 14:38:06 1984
--- getpwent.c	Wed Sep 19 14:08:15 1984
***************
*** 28,34
  pwskip(p)
  register char *p;
  {
! 	while( *p && *p != ':' )
  		++p;
  	if( *p ) *p++ = 0;
  	return(p);

--- 28,34 -----
  pwskip(p)
  register char *p;
  {
! 	while( *p && *p != ':' && *p != '\n')
  		++p;
  	if( *p ) *p++ = 0;
  	return(p);
***************
*** 43,51
  		if( (pwf = fopen( PASSWD, "r" )) == NULL )
  			return(0);
  	}
! 	p = fgets(line, BUFSIZ, pwf);
! 	if (p==NULL)
! 		return(0);
  	passwd.pw_name = p;
  	p = pwskip(p);
  	passwd.pw_passwd = p;

--- 43,55 -----
  		if( (pwf = fopen( PASSWD, "r" )) == NULL )
  			return(0);
  	}
! 	do {
! 		p = fgets(line, BUFSIZ, pwf);
! 		if (p==NULL)
! 			return(0);
! 		/* skip whiteness at beginning of line */
! 		while (*p == '\t' || *p == ' ' || *p == '\n') p++;
! 	} while (*p == '\0');		/* skip blank lines */
  	passwd.pw_name = p;
  	p = pwskip(p);
  	passwd.pw_passwd = p;
-- 
--Bruce Nemnich, Thinking Machines Corporation, Cambridge, MA
  {astrovax,cca,harvard,ihnp4,ima,mit-eddie,...}!godot!bruce, BJN at MIT-MC.ARPA